Hogan Lovells’ response follows the structure of the ICO consultation and is divided into three sections dealing with the ICO’s proposals to update its guidance, the proposed transfer risk assessment tool and the draft model international data transfer agreements.
The key points made in our response are as follows:
Section 1: Proposal and plans for the ICO to update its guidance on international transfers
- The applicability of the UK GDPR to the processing of personal data in the context of the activities of an establishment of a processor in the UK will depend on the circumstances affecting that processor, not the controller.
- Conversely, any processing undertaken by a processor on behalf of a controller subject to the UK GDPR on the basis of Article 3(2) will also be subject to the UK GDPR to the extent relevant to that processor.
- Whether a joint controller is covered by Art 3(1) of the UK GDPR will always depend on the circumstances applicable to that specific controller.
- For a restricted transfer to take place, there must be a transfer from one legal entity to another.
- There is no requirement for UK processors to regard data transfers to their non-UK GDPR subject controllers or similar third parties as restricted transfers.
- A restricted transfer takes place whenever the exporter is subject to UK GDPR (and may be located in the UK or overseas) and the importer is located outside of the UK. Therefore, whether or not the UK GDPR applies to the importer is not relevant.
- Nonetheless, from a public policy perspective, it may be justifiable to revise the regime dealing with restricted transfers in a way that it directly addresses potential conflicts of law without requiring the full applicability of Chapter V of the GDPR.
- It is correct to regard the Article 49 derogations as a mechanism of last resort on which it is possible to rely when the circumstances do not allow the provision of such safeguards.
- Within the parameters of Article 46, the parties involved in data transfers activities subject to the UK GDPR should be afforded maximum flexibility and discretion to select the most suitable data transfer mechanism for each case.
Section 2: Transfer risk assessments
- It would be helpful to produce a standalone TRA template report alongside the guidance in order to assist SMEs in understanding what the output of the tool will look like.
- Any specific guidance that the ICO could provide that could be used consistently for all UK controllers to minimise the need for companies to undertake specialised legal advice in this connection (e.g. lists of low risk countries or summaries of laws in key jurisdictions) would undoubtedly be welcomed by SMEs and large enterprises alike.
- The TRA tool could be formatted in a similar style to other interactive ‘self-assessment’ tools provided by the ICO.
- The TRA may provide a particularly useful tool where the risk of harm to data subjects is low.
- If the TRA was provided in the format of an interactive, self-assessment tool to assist SMEs with assessing the risk of their data transfers based on key risk factors, along with additional guidance, this would be of considerable help to minimise legal uncertainty and standardise the process of applying the concept of ‘low risk’ transfers in practice.
- In practice the TRA may be of limited practical benefit unless it also addresses more complex transfer scenarios involving importers located in multiple countries and / or multiple transfers for the same or multiple purposes.
Section 3: ICO model international data transfer agreements
- The IDTA provides effective safeguards for data subject rights.
- However, most businesses (including both SMEs and large companies) will be put off by the length of the IDTA.
- Factors which might deter companies from the use of the IDTA include: (i) lack of legal certainty and rigour in some of the language used, (ii) it is unclear how the IDTA will address multi-party scenarios, and (iii) the use of the UK Addendum to the EU SCCs is more straightforward.
- We suggest adopting an approach which uses more precise legal terms. This could be achieved by separating the guidance (drafted in clear and simple language) from the IDTA itself (drafted in a more legally precise way and including more commonly used contractual language).
- The modular approach provides greater certainty as to the clauses which apply to different data transfer scenarios.
- It is advisable to try to mitigate the risk of the parties incorrectly identifying themselves as controllers or processors by providing appropriate guidance alongside the IDTA about the roles and responsibilities of controllers and processors.
- It would be helpful to provide additional guidance with an explanation of when it may be advisable to use the IDTA or the EU SCCs and what the different consequences of using one or the other (if any) may be.
- The validation of model transfer agreements issued in other jurisdictions will be very useful given that a significant number of transfer agreements are aimed at addressing the restrictions on international data transfers across different jurisdictions.
- The UK addendum provides an extremely useful mechanism to maintain the continuity and familiarity of using the EU SCCs for international data transfers.
- It would be highly advisable to confirm that the format of the UK addendum (e.g. as a separate annex to a data transfer agreement including the EU SCCs) is not mandatory, and that it permissible to adapt and incorporate the UK addendum into a data transfer agreement as the parties see fit (e.g. as a clause in the main body of the agreement), provided the contents of the key provisions of the UK addendum are still covered in the data transfer agreement.
- It will be very relevant to state that the UK addendum can be used for data transfers from the UK only (as opposed to data transfers from both the EU and UK) so that organisations in that situation have the option to rely on either the IDTA or the EU SCCs with the UK addendum.
- It is essential that the ICO confirms as soon as possible that it regards the use of the UK addendum alongside the EU SCC as valid and compliant.
The submission to the ICO was authored by Eduardo Ustaran, Sian Rudgard, Katie McMullan, and Paula Garcia.